55 comments

  1. GeeksAndTweaks

    Don’t be afraid to comment, you don’t even have to register :)

  2. InternetMarine

    Many thanks. I can’t believe I got through the whole thing. I couldn’t have gotten close without your help.

    PS – The grey against the black instructions almost had me shooting myself mid-way.

    1. GeeksAndTweaks

      Ahh I see what you mean. From my desktop I have firefox stripping out all theme colors so I hadn’t noticed. Here on my laptop I see what you mean, it’s hideous! I’ll work something out to make it better. Thanks for the heads up, and sorry for the late reply!

  3. JRad

    what output should I expect from “. ./easy-rsa/vars”

    I get the following , which I think is wrong.

    jgr@jgr-desktop:/etc/openvpn$ . ./easy-rsa/vars
    bash: ”/etc/openvpn/easy-rsa”/whichopensslcnf: No such file or directory
    NOTE: If you run ./clean-all, I will be doing a rm -rf on ”/etc/openvpn/easy-rsa”/keys

    I appreciate your help. Thank you

    1. GeeksAndTweaks

      After running that command run it again, but leave off the first period and the space. ie:
      ./easy-rsa/vars

  4. Robert

    Did everything exaclty as you did!, but when i start open vpn at the end, i get a error which says “fail” , can you please tell me what might be the prob? :s
    tymotymo1 1 sekund sedan

    1. GeeksAndTweaks

      Did you create the .ovpn file with the correct protocol and port that you chose during setup? I might take me a day or two to respond back but bear with me and we’ll get ya sorted out. Also are you behind a router?

  5. mattltm

    Thanks for the tutorial but it seems a bit incomplete..

    You have the line nano sysctl.conf but dont say what to edit in the file.

    Also after /etc/init.d/openvpn start you sat begin newvpn.ovpn contents – copy below this line does this mean that you need to create a new file called newvpn.ovpn and paste your config into it (changing IP addresses)?

    Thanks.

    1. GeeksAndTweaks

      Good catch, after opening sysctl.conf you would want to un-comment (remove the #) from the line containing #net.ipv4.ip_forward=1
      I’ve edited the post above to reflect that.

      As for the .ovpn file, yes, you’ll need that on the client machine that will be connecting. You put that file with the 3 others you downloaded from the server. Along with the IP you mentioned make sure you also change the client names if you if you did not use “client1″ as I did in the tutorial. Thanks for visiting and feel free to ask more questions as it helps me fine tune the tutorial for you and others :)

  6. Rdbrm

    Everything seems to of gone well, i’m not doing my setup on a VPS though and for testing purposes I used the local address (192.168.1.10) in place of where “VPS” was used. Although when I go to use the OpenVPN client on my windows machine to connect it simply hangs at “Logging In”. I’m unsure if its on my server end or this simple little OpenVPN GUI app hanging me up.

    1. GeeksAndTweaks

      Is there a firewall that may be causing the issue? Behind a router perhaps? Also for the cert and key parameters in the .ovpn file are those the same as the name you chose for your client back at the ./easy-rsa/build-key client1 command? Lastly did you download the 2 .crt files and the .key file and place them in the same directory as the .ovpn file?

  7. Smith.lai

    Excuse me, in the content of openvpn.conf .
    Isn’t it better to replace ‘proto tcp’ with ‘proto udp’

    I don’t understand what the “proto” means here….

    Is that means ‘I accept UDP only in this VPN’? Or I’ll tunneling through UDP.

    1. GeeksAndTweaks

      Yes you would replace TCP with UDP unless you’re troubleshooting connection problems, perhaps due to a firewall. In the video you may have noticed that as I pasted it, it originally was TCP but I then changed it to UDP. Proto is short for “protocol” as in which protocol you wish your VPN to use. Thanks for visiting and commenting, sorry for the delay of my response!

  8. xtreme

    Hi!

    Can U help me? How to setup port forwarding from VPN server to client in Ubuntu 12.04

    Thanks

    1. GeeksAndTweaks

      I worked through this a while back and thought it would make a good tutorial. I’ll work on a new post for doing it. Thanks for visiting and make sure to check back, I’ll have a port forwarding tutorial up here in the next day or so.

  9. Anonymous

    Nice post.

    I try to do all, but after line “. ./easy-rsa/vars” when I wrote “./easy-rsa/clean-all” I get this error message: “-bash: ./easy-rsa/clean-all: No such file or directory”. I try to use sudo or su before the command and still happen the same issue.

    1. GeeksAndTweaks

      Try running the “. ./easy-rsa/vars” command as root before running the “clean-all” command.

  10. Peter

    Hi, thanks to this tutorial it works ……. partly !
    I can connect from my android phone to my Ubuntu server.
    I’ve got a running Apache-server on one of my pc’s connected to my homework. This apache-server is on a different pc then the openVPN-server. So after succesfully connected to my openVPN-server I open the homepage of the apache-server by typing the apache ip-number and the homepage is shown. So far so good. But when I want to connect to a website outside my home-network is doesn’t work. Mail-checking is also not working yet.

    I only use the firewall of my router and port 1194 of this router is connected to the internet and the openVPN server. Can you please help me out so it works completely?

    1. GeeksAndTweaks

      Did you tell the vpn server to forward all requests it receives? The part after we created the openvpn.conf? And did you restart the openvpn server process after doing so?

      echo 1 > /proc/sys/net/ipv4/ip_forward

      do “ifconfig” to get adapter name and ipaddress (venet0 was mine since my vps host is using openvz)

      iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to YOUR.VPS.IP

      cd ..

      nano sysctl.conf

      un-comment (remove the #) from the line containing #net.ipv4.ip_forward=1

      cd ..

      /etc/init.d/openvpn start

      1. Peter

        Hi, I’m not there but it’s getting bettter.
        I can connect to my openVPN-server and I can surf but it seems that it surfed along my home-network. When I’m trying to reach my apache-server (only reachable by home-network and not internet), or any order kind of server in my home-network, it won’t work (XML-error page not found). My IP-adress is also not the ip-adress of my home-network but of my internet connection. So, something is not working properly yet and hopefully you can help me (again)

        1. GeeksAndTweaks

          Did you run ifconfig and get the correct adapter name on the vpn server? The command iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to YOUR.VPS.IP has an adapter name in it common to VPS providers (venet0). If you’re trying this on a physical machine in your home I expect venet0 would be eth0 instead.

          1. Peter

            Hi, I found it out what went wrong and I’m happy as a clown (hope it’s correct expression).
            I copied your lines into openvpn.conf but accidentally all the ” are changed into .
            So all of the push-commands are wrong because push . redirect-gateway def1. instead of push “redirect-gateway def1″. After correcting them it all went well. Thanks for your tutorial and support.

            Still I have a question: I get a warning that stated NO SERVER CERTIFICATE VERFIFICATION HAS BEEN ENEABLED. SEE http://openvpn.net/index.php/open-source/documentation/howto.html and there is a written about Men In The Middle (mitm) method. Is this a serious problem and if so what can I do.

          2. GeeksAndTweaks

            I would not worry about that warning. From the openvpn site about certificate verification it reads:

            # To use this feature, you will need to generate
            # your server certificates with the nsCertType
            # field set to “server”. The build-key-server
            # script in the easy-rsa folder will do this.
            ;ns-cert-type server

            So I assume you would edit the build-key-server script then rebuild your keys. Again though, I would not worry about it.

  11. Helppppp

    Hey i have problem that only one client at a time can connect to the server and server always assign 6 ip, i would like to apply dynamic local ip but couldn’t find the solution using Ubuntu Server 12.04

    1. GeeksAndTweaks

      Did you generate a new certificate/key pair for each client, or are you using the same key on several machines? Also I do not understand you when you say it always assign 6 IP.

  12. Dacuu

    Hi, thnx for your tutorial! i made a tutorial based on your tutorial for the Raspberry Pi.

    https://dl.dropbox.com/u/21429092/OpenVpn%20server%20Raspberry%20Pi.pdf

    I had also a few questions. What’s The security of the open vpn? aes 265 bit? i use the client1 certificate on my laptop And android smartphone. Can i use them on the same time? ( i did not try’d it yet) or should i make more client certificates?

    1. GeeksAndTweaks

      Sweet, I’d love to tinker with a Pi, just gotta get my hands on one :) The default cipher openvpn uses is Blowfish, and you can use the same certificates across multiple devices.

      1. Dacuu

        Is there also a way to use certificates + password?

        1. GeeksAndTweaks

          Sure. You can find the instructions here.

          1. Dacuu

            Hi, thnx but’s a little to hard for me. How can i manage this on my pi?

          2. GeeksAndTweaks

            You’re wanting to host the VPN from the Pi?

      2. Dacuu

        I installed the vpn on my pi and it works flawless, but i want also the password option. so certificates + password protection.

  13. tank

    hey mate,
    thanks for the tut, i am using tunnelblick and i am getting the following error, any ideas?

    Could not start OpenVPN (openvpnstart returned with status #242)

    Contents of the openvpnstart log:

    OpenVPN returned with status 1, errno = 2:
    No such file or directory

    Command used to start OpenVPN (one argument per displayed line):

    /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3-alpha1/openvpn
    –cd
    /Library/Application Support/Tunnelblick/Shared/russ.tblk/Contents/Resources
    –daemon
    –management
    127.0.0.1
    1337
    –config
    /Library/Application Support/Tunnelblick/Shared/russ.tblk/Contents/Resources/config.ovpn
    –log
    /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sruss.tblk-SContents-SResources-Sconfig.ovpn.1_0_3_0_49.1337.openvpn.log
    –management-query-passwords
    –management-hold
    –script-security
    2
    –up
    /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atADGNWradsgnw
    –down
    /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atADGNWradsgnw
    –up-restart
    –route-pre-down
    /Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -m -w -d -atADGNWradsgnw

    Contents of the OpenVPN log:

    More details may be in the Console Log’s “All Messages”

    1. GeeksAndTweaks

      I’m going to be honest, I have not a clue. I’ve never worked with tunnelblick or a even a MAC for that matter! It appears to be unable to find a file or directory, so assuming all the ones it’s looking for are indeed there, I would next look into checking permissions on them. I’m hoping at some point in the future someone with more MAC experience will have a spot on answer for this and they do us the courtesy of leaving it here. Sorry I’m a PC guy :(

    2. tank

      mate cheers for the assist, i did a full rebuild of my VPS ubuntu 12.04 and managed to get connected to the vpn but i cant seem to get internet connectivity?

      i have edited the sysctl.conf, and placed in the iptables. any ideas?

      1. tank

        mate got it working im a clown :) clearly forgot to change the adapter to eth0

        thanks for the tut :)

        1. GeeksAndTweaks

          Good job man, the tiniest little thing(s) can sometimes make a project like this a real pain. Thanks for visiting and commenting :)

  14. dave

    Thank you so much for all your help. I got everything to connect with your help. But, for some reason if I check to see what ip showing, it still show’s my public ip not, my vpn’s ip. I did notice my client software does not show anything under traffic? Any help would be greatly appreciated

    1. GeeksAndTweaks

      Maybe try a different client? I use openvpn gui. It has a detailed log that can assist in diagnosing errors.

      1. dave

        Thank you so much at least now I have an idea!

      2. dave

        It seems like most of my errors are related to “SSL3_GET_SERVER_CERTIFICATE:certificate verify failed” Should I just not use a certificate? Or how would you suggest I try to fix it?

      3. dave

        Just wanted to say thanks! I did get it working after going through everything again, and on a clean system.

        1. GeeksAndTweaks

          Congrats man, good job!

  15. Sukosevato

    I can’t get it to work.

    I’ve followed everything literally on a ubuntu 12.04 lts desktop 64 bit machine.

    But when i try:
    ./easy-rsa/build-ca

    I get an error:
    ./pkitool: not found

    Kind of stuck there. When i do a ls -la i can see a pkitool file in the easy-rsa directory that is executable (green), so i have no idea why it can’t find it.

    1. Sukosevato

      Hmmm, I did get it to work.

      Only problem is that performance sucks. Maybe you might have an idea.

      Server:
      Ubuntu 12.04 LTS 64 bit, 2 gb ram / quad core cpu. on 100/100 mbps fiber connection.
      OpenVPN installed on it.

      Client:
      Windows 7 64 bit, 16 gb ram / quad core cpu. on 50/3 mbps cable connection.

      When downloading from server to client. I always max my 50 mbps. So that’s about 5,8 MB /s download. So speeds close to that should be achievable.

      How ever, I do not get past. 800-900 kb/s, so about 6.4 – 7.2 mbps.

      I’ve tried different MTU’s, and all that stuff. 1400 seems to be about the best. Above and below it’ll drop to 600 kb /s.

      I’ve tried turning compression off, no difference.

      I’m blaming the TAP adapter, which is 10 Mbps in windows. But everywhere i read that shouldn’t be the problem.

      I just won’t get past the 800-900 kb/s. And i have no idea why.

      Any idea how i can increase performance? Would be much appreciated.

      It’s a nice guide btw.

      1. GeeksAndTweaks

        You already tried my first thought of messing with compression and MTU values etc.. Even if the TAP adapter is 10MB/s you should see higher speeds than 8-900 kb/s. I get around 2 mb/s from mine, so I know the adapter can get at least that fast. Maybe you have a firewall doing deep packet inspection slowing the traffic?

        1. Sukosevato

          I figured some stuff out.

          I’ve disabled the ‘SPI firewall’ in my router. Now I’ve managed to get about 1,25 MB/s over the link on my 50/3 mbps home connection.

          I’ve also had other people test it.

          Server is located in the Netherlands btw.

          20/20 mbps fiber connection from the same ISP as server. 2,5 MB/s easily.
          65/15 mbps cable connection from a friend in England. 2-3 MB/s easily.

          But on my own connection i just can’t get past 1.25 MB /s. Which is only 10 mbps, and i have about 45 mbps down.

          So i’m starting to think OpenVPN requires a symmetrical connection. Even though there is barely any uplink traffic while downloading at 1,25 MB/s, maybe like 50 kb/s up of the 300 kb/s up i have.

          I have also got a pptp vpn setup on another VM which is on the same 100/100 mbps connection.

          And over that connection I achieve about 1,5 MB /s

          But right now, when i tested that 1,5 MB/s, i only get about 600-700 kb/s over the OpenVPN. (the 1,25MB/s i achieved in the middle of the night, now the rest of the house is online and webbrowsing. I can still download at 5 MB/s though)

          But as far as i’m aware, VPN services for Hulu claim you can download at 80% of your internet connection due to encryption overhead, even if your upload is shitty.

          Though I just can’t get it to work :P

          Any ideas to optimize OpenVPN?

    2. GeeksAndTweaks

      Looks like this is a documented bug fixed by copying pkitool. The following command will copy it to another place where it should work correctly.
      cp pkitool ../

  16. palermo

    hi GeeksAndTweaks how i leave this stap : change

    export EASY_RSA=”`pwd`”

    to

    export EASY_RSA=”/etc/openvpn/easy-rsa”

    1. GeeksAndTweaks

      After you run the command nano easy-rsa/vars you want to edit the file that that command opened. Once you’ve changed

      export EASY_RSA=”`pwd`”
      to
      export EASY_RSA=”/etc/openvpn/easy-rsa”

      Press Control+X to exit nano and it will prompt to save your changes. I hope this is what you were asking!

  17. palermo

    i use backtrack 5 r1 ubuntu

    1. GeeksAndTweaks

      Sweet, and everything works as expected?

  18. b

    Hi,
    When i connect with my windows 7 pc to my raspberry pi, i only get 10mbit connction.
    But the raspberry pi got a 100mbit ethernet port.

    [img]http://i.imgur.com/3Wgy8.jpg[/img]

    1. GeeksAndTweaks

      From what I’ve read the TUN/TAP adapter will run at whatever speed the network hardware can support. Is there a router in your network, and is it able to run at 100Mb/s as well?

      1. Dacuu

        My switch is a Gigabit switch and my router also gigabit .